The European Commission and the United States announced last Friday that they had reached an agreement on a new Trans-Atlantic Data Privacy Framework. The deal ensures that data transferred to the US is adequately protected, addressing the EU Court of Justice’s (Schrems II) ruling on safe and secure data flows and a competitive digital economy and economic cooperation.
Based on the new framework, data will be able to flow freely and safely between the EU and participating US companies. The new framework ensures that:
access to data by US intelligence authorities is limited to what is necessary and proportionate, thus legitimate, to protect national security;
US intelligence agencies will adopt procedures to guarantee that national security objectives do not disproportionately impact individual privacy and civil rights protection;
EU nationals’ complaints regarding US intelligence agencies accessing their data will be investigated and resolved through a new two-tier redress system; a Data Protection Review Court, comprised of individuals from outside the US government, will adjudicate the accusations under the new framework;
Companies processing data transferred from the EU must still comply with the requirement to self-certify their adherence to the Principles through the US Department of Commerce;
Specific monitoring and review mechanisms will be implemented.
The United States must issue an Executive Order containing the agreement’s commitments. Next, the Commission agreement’s draft adequacy decision based on this Order must then be followed by a review procedure that involves the European Data Protection Board (EDPB). Access the new framework here →
On March 22, 2022, Brazil submitted a bill that prohibits telemarketing without prior user consent. Read the Bill here →(in Portuguese)
The Norwegian DPA (Datatilsynet) published a handbook on data processing at work to strike a balance between workers’ legitimate expectations and employers’ legitimate interests. The handbook ensures that personal information about employees is appropriately handled and protects employers’ legitimate interests as data controllers in determining how best to conduct their businesses within the law. Access the handbook here →(in Norwegian)
2) Notable Case Law
The Italian DPA (Garante Privacy) fined a company 10,000 euros for processing personal data found on a former employee’s computer without implementing internal guidance on using IT systems, particularly regarding email access, in violation of the GDPR. You can read more about the ruling here →(in Italian)
3) New and Upcoming Legislation
Privacy legislation in the US states:
Connecticut – On March 16, 2022, the Legislative Commissioner’s Office filed Bill (SB 6) for an Act Concerning Personal Data Privacy and Online Monitoring.
Indiana – The Bill (HB 1261) on consumer privacy failed to pass the House of Representatives and has been withdrawn.
Maine – The State Senate was presented with the Legislative Document (LD 1982) for an “Act To Protect the Privacy of Online Customer Information.”
Oklahoma – The Bill (HB 2969) for the “Oklahoma Computer Data Privacy Act” passed on March 23, 2022.
Utah – The State Governor signed Bill (SB 227) for the “Utah Consumer Privacy Act” (UCPA) on March 24, 2022.
Washington – The Washington Privacy Bill (SB 5062) failed to pass and was withdrawn.
According to new research, Google has been collecting extremely detailed data about the calls you make via the Phone app and the text messages you exchange on your Android phone. This action may violate privacy protections rules mandated by law in some markets (e.g., the EU’s GDPR). Reported here →
Microsoft was affected by a security breach by a hacker group named Lapsus$, who has compromised one of the company’s accounts last Tuesday. The result was that the company systems could be accessed to a limited extent, but the breach did not concern the data of any Microsoft customers. Read more about the breach here →
Other key information from the past weeks
On Thursday evening, Parliament and Council negotiators reached an agreement on new EU rules to limit the market power of large online platforms, known as the Digital Markets Act (DMA). The DMA will blacklist certain practices used by large platforms acting as “gatekeepers,” allowing the Commission to conduct market investigations and sanction non-compliant behavior.
The United States Supreme Court’s judgment in FBI v. Fazaga, a case challenging FBI surveillance, will make it far more difficult for people to pursue surveillance suits and for US and EU negotiators to reach a long-term deal on transatlantic data transfers.